2 months ago
Hello, I can’t get HashiCorp Vault working because of the following error
Error initializing storage of type raft: failed to create fsm: failed to open bolt file: open /vault/raft/vault.db: permission denied
Vault is running under the non-root user vault, and I suspect the issue is related to the volume being attached as root.
I’ve tried the following without success:
Setting RAILWAY_RUN_UID=0
Running the container as USER root
Creating /vault/raft and changing ownership to the vault user
None of these worked, and I’m starting to lose my mind trying to set this up.
Dockerfile
FROM hashicorp/vault:1.20
ARG ENABLE_UI=true
COPY vault-config.sh /vault-config.sh
RUN chmod +x /vault-config.sh && \
export ENABLE_UI=${ENABLE_UI} && \
/vault-config.sh
RUN mv vault-config.hcl /vault/config/vault-config.hcl
EXPOSE 8200
CMD [ "vault", "server", "-config", "/vault/config/vault-config.hcl" ]vault-config.sh
echo "
ui = ${ENABLE_UI}
api_addr = \"http://127.0.0.1:8200\"
cluster_addr = \"https://127.0.0.1:8201\"
disable_mlock = true
storage \"raft\" {
path = \"/vault/raft\"
node_id = \"raft_node_1\"
}
listener \"tcp\" {
address = \"[::]:8200\"
tls_disable = true
}
" > vault-config.hcl
5 Replies
2 months ago
Hey there! We've found the following might help you get unblocked faster:
If you find the answer from one of these, please let us know by solving the thread!
2 months ago
Hey, does anybody know how to actually fix this? I still haven’t managed to resolve the issue. Vault is the foundation of our infrastructure, and without it I can’t even test how Railway will go with our existing setup. This blocks me from creating a company account and selecting a plan.
2 months ago
Sure does look like its related to being root:
https://station.railway.com/questions/laravel-app-permission-denied-to-write-0d61fcf2 had a similar issue!
Somebody found a solution by adding:
```
#!/bin/sh
# chown the mount to allow the www-data user read and write access.
chown -R 33:33 /var/www/html/storage/app/public && echo "
added permissions to mounted volume"
# optimize filament for production (optional).
php /var/www/html/artisan filament:optimize
```
as a startup sh script. Would 100% need to tweak that to fit your use case exactly. They added it as a step in their dockerfile.
I think this should help!
2 months ago
I already saw this. I’ve gone through almost every topic about this on the forum, but still haven’t found a solution.
The example above doesn’t apply to me - I think the volume mount happens during deployment, not during the build.
The example above used an auto-start script in the entrypoint, which I believe is specific to that image. It runs at deployment, not during the build, meaning it runs when the container is already up and the volume is mounted.
The things I’ve tried don’t work because the mounted volume overwrites the directory, so it doesn’t matter if I run chown.
2 months ago
I fixed it. HashiCorp Vault (/usr/local/bin/docker-entrypoint.sh) has an entrypoint script that checks for /vault/file. If it exists, it will chown it to vault:vault. I simply changed the path from /vault/raft to /vault/file.
/usr/local/bin/docker-entrypoint.sh
if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
chown -R vault:vault /vault/file
fiHowever, you can also use ENTRYPOINT to run a script on the built image. ENTRYPOINT will run just before CMD during deployment. Here, I use entrypoint-wrapper.sh because HashiCorp Vault already has its own entrypoint.
COPY fix-permissions.sh /
COPY entrypoint-wrapper.sh /
RUN chmod +x /fix-permissions.sh /entrypoint-wrapper.sh
ENTRYPOINT ["/entrypoint-wrapper.sh"]##### fix-permissions.sh
#!/bin/sh
if [ ! -d "/vault/raft" ]; then
mkdir -p "/vault/raft"
fi
chown -R vault:vault "/vault/raft"
##### entrypoint-wrapper.sh
#!/bin/sh
/fix-permissions.sh
exec /usr/local/bin/docker-entrypoint.sh "$@"Status changed to Solved chandrika • 2 months ago